CN107332738A - A kind of method and system of quick discovery network probe - Google Patents
A kind of method and system of quick discovery network probe Download PDFInfo
- Publication number
- CN107332738A CN107332738A CN201710618351.2A CN201710618351A CN107332738A CN 107332738 A CN107332738 A CN 107332738A CN 201710618351 A CN201710618351 A CN 201710618351A CN 107332738 A CN107332738 A CN 107332738A
- Authority
- CN
- China
- Prior art keywords
- packet
- network
- probe
- data
- caching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/9047—Buffering arrangements including multiple buffers, e.g. buffer pools
Abstract
The present invention provides a kind of method and system of quick discovery network probe, and this method includes:(1) packet in collection network environment, forms network data flow;(2) packet in analysis network data flow, filters out the packet relevant with probe device;(3) according to the analysis to probe device packet, the position of positioning probe equipment;The system includes:Adapter management module, document management module, packet capturing module, identification module, data pack buffer management module.The present invention have the advantages that to find precisely, rapidly and efficiently, a variety of practical scenes of adaptation and initial data can be reappeared.
Description
Technical field
The present invention relates to network data processing field, a kind of method more particularly, to quick discovery network probe and it is
System.
Background technology
Network probe is a kind of hardware device for obtaining network traffics, and it is serially connected in the chain for needing to catch flow when using
Lu Zhong, flow information is obtained by shunting the data signal on link.Probe device is disposed by light splitting or mirror port,
Influence will not be brought on network performance, therefore supports to be acquired the flow of high-speed link.
Probe device has following feature:
1st, in terms of deployment, probe integrated SFP transceivers in itself, its outward appearance and the completely compatible common optical-fibre communications of function
Module, can be directly inserted on interchanger, gather, filter the flow of the module.
2nd, in terms of manipulation, probe can be from its exterior remote control, without obtaining network environment authority, interventional systems
It is internal.These characteristics are concealed it to use.
3rd, in terms of data collection, probe device can snugly by the data captured from Intranet be dealt into outer net without
Introduce other hardware devices.
Although probe device can bring value to Internet Service Provider and other kinds mechanism, it is to network number
The hidden danger come according to safety belt is also very important.It more can snugly be normally used as a kind of spy device, to some
Sensitive information is stolen, so as to bringing loss using all kinds of mechanisms of internet and user, or even threaten national security.
Due to its Noninvasive (not influenceing network performance) and equipment in access network in itself compatibility (outward appearance and
The completely compatible common optical fiber communication modules of function), only find that probe is hardly possible from General Properties such as outward appearances.
The content of the invention
It is an object of the invention to:There is provided a kind of side of quick discovery network probe for the problem of existing for prior art
Method and system, can help to solve that probe device is ND to ask in analyzing network circumstance by the data traffic produced
Topic.
The goal of the invention of the present invention is achieved through the following technical solutions:
A kind of method of quick discovery network probe, it is characterised in that this method includes:
(1) packet in collection network environment, forms network data flow;
(2) packet in analysis network data flow, filters out the packet relevant with probe device;
(3) according to the analysis to probe device packet, the position of positioning probe equipment.
As further technical scheme, the method for the packet in collection network environment is that lattice chain is obtained from network interface card
Packet in road or by way of reading file from the data APMB package being collected into read data packet or foregoing two kinds
Carry out simultaneously.
As further technical scheme, forming the method for network data flow includes:Packet capturing thread is cached from packet capturing first
Queue obtains a data pack buffer, and then the packet of capture is stored in the caching successively, once being filled with, will can be cached
It is added to identification buffer queue;Recognize that thread obtains a caching from identification buffer queue, each packet of the inside is entered
Row identification, and caching will be returned to packet capturing buffer queue.
As further technical scheme, if requiring reduction, the caching after identifying processing is put into also by identification thread
Former buffer queue.
As further technical scheme, packet capturing thread also has a corresponding timing thread, and it is regularly by packet capturing thread
The caching used is added to identification buffer queue by force.
As further technical scheme, the method for the packet in analysis network data flow includes:Pass through port analysis
The method analyzed with protocol characteristic.
As further technical scheme, it is later that the packet relevant with probe device includes network probe addition mark
The control data bag produced when forwarding packet, and network probe to be communicated with its supporting analytical equipment.
As further technical scheme, this method includes:The packet relevant to probe device is reduced.
A kind of system of quick discovery network probe, the system includes:
Adapter management module, the network interface card possessed for Ergodic Theory obtains the static information of network interface card, initialization and release
Network interface card;
Document management module, for opening and closing data APMB package, obtains the essential information of data APMB package;
Packet capturing module, for capturing packet or from data APMB package read data packet from network interface card;
Identification module, for the packet that packet capturing module is obtained to be identified, determines whether packet sets with probe
Standby correlation;
Data pack buffer management module, for distributing, initially for the buffer queue used in modules mentioned above
Change and destroy.
As further technical scheme, the system includes recovery module, relevant with probe device for that will be identified as
Packet is reduced, and obtains raw data packets.
Compared with prior art, the present invention has advantages below:
1st, find accurate.
The method for employing traffic characteristic identification and port identification is combined, and can be recognized exactly related to probe device
Network traffic data.Onboard data bag analysis engine technology, can be from Internet, transport layer, application layer different levels, from single
The difference angle such as packet, whole piece data flow is analyzed network flow data.
2nd, rapidly and efficiently.
System receives the network data for card of being thrown the net from 4 simultaneously, data APMB package can also be analyzed simultaneously, performance
It is higher, a large amount of network traffic datas can be analyzed within the short time, it is not easy to situation about failing to report.System is signified
Fixed network interface card quantity and number of threads are to carry out experiment repeatedly and the data proved for current main-stream network workstation, can
The performance of hardware device and software architecture is substantially played, a relatively good effect is reached.
3rd, data convert.
System can not only precisely recognize the position of network probe, moreover it is possible to which the packet for forwarding network probe is carried out
Reduction, so as to reappear initial data, helps network manager further to be analyzed.
4th, a variety of practical scenes are adapted to.
System both can carry out data acquisition for wall scroll network link, can also carry out data by a plurality of network link
Collection, can at most be supported while gathering the data of 4 links.Meanwhile, the form that system can be read by data APMB package
To support the analysis to historical data.
Brief description of the drawings
Fig. 1 is schematic flow sheet of the invention;
Fig. 2 is system architecture diagram of the invention.
Embodiment
The present invention is described in detail with specific embodiment below in conjunction with the accompanying drawings.
Embodiment
The present invention provides a kind of method of the quick discovery network probe based on five tunnels-triple channel, as shown in figure 1, including
Following steps:
Packet in step 1, collection network environment, forms network data flow.
The method of packet in collection network environment is from the packet in acquisition network link on network interface card or by reading
The mode of file read data packet or foregoing two kinds of progress simultaneously from the data APMB package being collected into.Network is obtained simultaneously
The network interface card quantity of packet can at most reach 4 in link.
Forming the method for network data flow includes:Packet capturing thread obtains a packet from packet capturing buffer queue first and delayed
Deposit, then the packet of capture is stored in the caching successively, once being filled with, caching can be added to identification buffer queue;
Recognize that thread obtains a caching from identification buffer queue, each packet of the inside is identified, and caching will be returned
Return packet capturing buffer queue.If it is required that the caching after identifying processing is put into reduction buffer queue by reduction, identification thread.Keep away
Exempt from because caching can not be filled up and can not be slowly identified for a long time, packet capturing thread also has a corresponding timing thread, it determines
When the caching that is using packet capturing thread be added to identification buffer queue by force.
Packet in step 2, analysis network data flow, filters out the packet relevant with probe device.
The method of packet in analysis network data flow includes:The method analyzed by port analysis and protocol characteristic.
The port and feature used during analysis is relevant with specific probe model, it is necessary to be determined by beforehand research.
The packet relevant with probe device includes network probe and adds the later forwarding packet of mark, and network is visited
The control data bag that pin is produced when being communicated with its supporting analytical equipment.
The analysis of step 3, basis to probe device packet, the position of positioning probe equipment.
The position of positioning probe equipment, refers to provide IP address and port numbers of the probe in network.
The inventive method can also include step
Step 4, the data traffic relevant to probe device are counted.
Step 5, the packet relevant to probe device are reduced.
Restoring data, is after being rejected by the mark that probe is added, to take out the initial data forwarded by probe.
A kind of network probe that the present embodiment is provided finds system, as shown in Fig. 2 including:
Adapter management module:The network interface card (most 4) that responsible Ergodic Theory possesses, obtains the static information of network interface card, just
Beginningization, release network interface card etc..
Document management module:It is responsible for opening and closing data APMB package, obtains the essential information of data APMB package, including text
Part name, file path, size, etc..
Packet capturing module:It is responsible for capturing packet or from data APMB package read data packet from network interface card.
Identification module:It is responsible for that the packet that packet capturing module is obtained is identified, determines whether packet sets with probe
Standby correlation.
Recovery module:It is responsible for be identified as the packet relevant with probe device and being reduced, obtains raw data packets.
Data pack buffer management module:It is responsible for the buffer queue used in modules mentioned above to distribute, initially
Change and destroy.
UI modules:User interface and displaying analysis result are provided, are responsible for the operation of response user, collection number is such as specified
According to network interface card, specify the file etc. of read data packet, carry out interface while being responsible for timing and obtaining data from lower floor's logic module
Refresh.
Every network interface card passage can handle the data for card of being thrown the net from two.Card of often throwing the net a piece packet capturing thread of correspondence, is responsible for
Packet is obtained from network interface card.Packet capturing thread obtains a data pack buffer from packet capturing buffer queue first, then by the number of capture
It is stored in successively in the caching according to bag, once being filled with, caching can be added to identification buffer queue.Packet capturing thread also have one it is right
The timing thread answered, the caching that it is regularly using packet capturing thread is added to identification buffer queue and (avoided because slow by force
Depositing can not fill up and can not slowly be identified for a long time).Packet capturing thread can be obtained after current cache is placed to identification buffer queue
Another is taken to be deposited.Three groups of threads are up to during analysis to be analyzed and processed at the same time.
Specifically, in a treatment channel, there is two groups of packet capturing components, an identification thread and a reduction line
Journey, the data communication between them is completed by one group of buffer queue:Packet capturing buffer queue, identification buffer queue and reduction caching team
Row.
The flowing of data is that in units of Buffer, i.e., each processing thread performs single treatment task will be to one
Buffer processing (includes multiple packets).Buffer trend is as shown by the arrows in figure 2.
There is a situation where that for a long time Buffer can not be filled up in view of packet capturing thread, allow timing thread regularly from packet capturing thread
Place takes out the Buffer used, and puts into identification buffer queue (shown in dotted line).
If software not enabled restoring data pack mode, identification thread will not will recognize that the Buffer completed is put into reduction
Buffer queue, but directly give back packet capturing buffer queue (shown in dotted line).
The working mechanism of file approach is consistent with network interface card passage, and simply the packet of the passage is not from network link
Obtain, but read from data APMB package.
Identification thread be responsible for the packet that is captured by packet capturing thread of identification, it is necessary to detect these packets whether be with
The device-dependent packet of network probe, including the later forwarding packet of network probe addition mark, and network probe with
The control data bag produced during its supporting analytical equipment communication.Recognize that thread obtains a caching from identification buffer queue, to inner
Each packet in face is identified, and by the caching after identifying processing be put into reduction buffer queue (if require reduce) or
Caching is returned into packet capturing buffer queue (if not requiring reduction).Identification statistical information is given UI and is shown.
The packet content that reduction thread is responsible for will determine as probe forwarding is reduced.It takes out from reduction buffer queue
One caching, is handled each forwarding packet therein.Handle and packet capturing caching team is returned to after a caching
Row.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, it is noted that all
Any modifications, equivalent substitutions and improvements made within the spirit and principles in the present invention etc., should be included in the guarantor of the present invention
Within the scope of shield.
Claims (10)
1. a kind of method of quick discovery network probe, it is characterised in that this method includes:
(1) packet in collection network environment, forms network data flow;
(2) packet in analysis network data flow, filters out the packet relevant with probe device;
(3) according to the analysis to probe device packet, the position of positioning probe equipment.
2. the method for a kind of quick discovery network probe according to claim 1, it is characterised in that in collection network environment
Packet method be packet from network link is obtained on network interface card or by way of reading file from being collected into
Data APMB package in read data packet or it is foregoing two kinds simultaneously carry out.
3. the method for a kind of quick discovery network probe according to claim 1, it is characterised in that form network data flow
Method include:Packet capturing thread first from packet capturing buffer queue obtain a data pack buffer, then by the packet of capture according to
It is secondary to be stored in the caching, once being filled with, caching can be added to identification buffer queue;Identification thread is obtained from identification buffer queue
A caching is taken, each packet of the inside is identified, and caching will be returned to packet capturing buffer queue.
4. the method for a kind of quick discovery network probe according to claim 3, it is characterised in that if requiring reduction,
Then the caching after identifying processing is put into reduction buffer queue by identification thread.
5. the method for a kind of quick discovery network probe according to claim 3, it is characterised in that packet capturing thread also has one
The corresponding timing thread of root, the caching that it is regularly using packet capturing thread is added to identification buffer queue by force.
6. a kind of method of quick discovery network probe according to claim 1, it is characterised in that analysis network data flow
In the method for packet include:The method analyzed by port analysis and protocol characteristic.
7. the method for a kind of quick discovery network probe according to claim 1, it is characterised in that relevant with probe device
Packet include network probe and add the later forwarding packet of mark, and network probe communicates with its supporting analytical equipment
When the control data bag that produces.
8. the method for a kind of quick discovery network probe according to claim 1, it is characterised in that this method includes:It is right
The relevant packet of probe device is reduced.
9. a kind of system of quick discovery network probe, it is characterised in that the system includes:
Adapter management module, the network interface card possessed for Ergodic Theory obtains the static information of network interface card, initialization and release net
Card;
Document management module, for opening and closing data APMB package, obtains the essential information of data APMB package;
Packet capturing module, for capturing packet or from data APMB package read data packet from network interface card;
Identification module, for the packet that packet capturing module is obtained to be identified, determines that packet is and probe device phase
Close;
Data pack buffer management module, distribution for the buffer queue used in modules mentioned above, initialization and
Destroy.
10. the system of a kind of quick discovery network probe according to claim 9, it is characterised in that the system is included also
Grand master pattern block, being reduced for will be identified as the packet relevant with probe device, obtaining raw data packets.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710618351.2A CN107332738A (en) | 2017-07-26 | 2017-07-26 | A kind of method and system of quick discovery network probe |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710618351.2A CN107332738A (en) | 2017-07-26 | 2017-07-26 | A kind of method and system of quick discovery network probe |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107332738A true CN107332738A (en) | 2017-11-07 |
Family
ID=60200719
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710618351.2A Pending CN107332738A (en) | 2017-07-26 | 2017-07-26 | A kind of method and system of quick discovery network probe |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107332738A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110166318A (en) * | 2019-05-15 | 2019-08-23 | 杭州迪普科技股份有限公司 | A kind of data statistical approach and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980159A (en) * | 2005-12-08 | 2007-06-13 | 信息产业部电信传输研究所 | Internet protocol network end-to-end performance monitoring system and method |
| US20080089336A1 (en) * | 2006-10-17 | 2008-04-17 | Christina Woody Mercier | Location of a probe algorithm |
| CN102821024A (en) * | 2011-06-07 | 2012-12-12 | 中兴通讯股份有限公司 | Method, device and system for implementing safety of data link |
| CN103944887A (en) * | 2014-03-24 | 2014-07-23 | 西安电子科技大学 | Intrusion event detection method based on hidden conditional random field |
| CN106101130A (en) * | 2016-07-08 | 2016-11-09 | 北京易华录信息技术股份有限公司 | A kind of network malicious data detection method, Apparatus and system |
| CN106713307A (en) * | 2016-12-20 | 2017-05-24 | 中国科学院信息工程研究所 | Method and system for detecting consistency of flow tables in SDN (Software-defined Networking) |
-
2017
- 2017-07-26 CN CN201710618351.2A patent/CN107332738A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980159A (en) * | 2005-12-08 | 2007-06-13 | 信息产业部电信传输研究所 | Internet protocol network end-to-end performance monitoring system and method |
| US20080089336A1 (en) * | 2006-10-17 | 2008-04-17 | Christina Woody Mercier | Location of a probe algorithm |
| CN102821024A (en) * | 2011-06-07 | 2012-12-12 | 中兴通讯股份有限公司 | Method, device and system for implementing safety of data link |
| CN103944887A (en) * | 2014-03-24 | 2014-07-23 | 西安电子科技大学 | Intrusion event detection method based on hidden conditional random field |
| CN106101130A (en) * | 2016-07-08 | 2016-11-09 | 北京易华录信息技术股份有限公司 | A kind of network malicious data detection method, Apparatus and system |
| CN106713307A (en) * | 2016-12-20 | 2017-05-24 | 中国科学院信息工程研究所 | Method and system for detecting consistency of flow tables in SDN (Software-defined Networking) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110166318A (en) * | 2019-05-15 | 2019-08-23 | 杭州迪普科技股份有限公司 | A kind of data statistical approach and device |
| CN110166318B (en) * | 2019-05-15 | 2021-01-26 | 杭州迪普科技股份有限公司 | Data statistical method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106464577B (en) | Network system, control device, communication device and communication control method | |
| CN106357622B (en) | Exception flow of network based on software defined network detects system of defense | |
| CN103095675B (en) | ARP spoofing attack detection system and method | |
| CN107124630A (en) | The method and device of node data management | |
| CN107579876A (en) | A kind of automatic detection analysis method and device of assets increment | |
| CN106572107A (en) | Software defined network-oriented DDoS attack defense system and method | |
| CN106708700B (en) | A kind of O&M monitoring method and device applied to server-side | |
| CN103414608B (en) | Rapid web flow collection statistical system and method | |
| CN101814977A (en) | TCP flow on-line identification method and device utilizing head feature of data stream | |
| CN107453884A (en) | The service quality detection method and device of a kind of network equipment | |
| CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
| CN102664789B (en) | The processing method of a kind of large-scale data and system | |
| CN101960782A (en) | In-bound mechanism that verifies end-to-end service configuration with application awareness | |
| CN103959715B (en) | For testing the mthods, systems and devices of DIAMETER routing nodes | |
| CN109992427A (en) | DPI correlation rule backfills processing method, device, equipment and medium | |
| CN105827629A (en) | Software definition safety guiding device under cloud computing environment and implementation method thereof | |
| CN110505228A (en) | Big data processing method, system, medium and device based on edge cloud framework | |
| CN110266679A (en) | Capacitor network partition method and device | |
| CN106331172A (en) | Method and device for detecting resources for content distribution network | |
| CN107332738A (en) | A kind of method and system of quick discovery network probe | |
| CN106021552A (en) | Internet creeper concurrency data collection method and system based on crowd behavior simulation | |
| CN101321097A (en) | Tencent network living broadcast business recognition method based on payload depth detection | |
| CN108512816A (en) | A kind of detection method and device that flow is kidnapped | |
| CN109803030A (en) | A kind of anonymity intermediate proxy server and its communication means | |
| CN106060805A (en) | Big data processing system based on secure wireless transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |